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(57) Abstract 

A method and apparatus enhance computer security based on prt>-rcgistration and tracking of a computer "ser|s lo^on.^^ lo^tion 
HPvJr. «r^^nani^^ attempting to lo&-in to a computer networic from a location distant to tiie networic. When the ocat^OT 

E ^ iTSTit^r^^^^^ wtoh is received by the computer networic. Tbe network th^ determin^ fom the location 

S^wh^SS(JwX^ is located durinfuie log-in process. If the individual is at a pitMiefined physical location, the computer grants 
access; oUierwise. access is denied. 
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A METHOD OF AND APPARATUS FOR COMPUTER SECURITY USING 
A TRANSMITTING LOCATION DEVICE 



BACKGROUND OF THE INVENTION 
FIELD OF THE INVENTION 
J 0 The present invention relates to a method of and apparatus for 

~ computefsecmityTis 

method of and apparatus for adding an additional layer of computer security based 
on registration and tracking of the computer user's location. 

15 DESCRIPTION OF RELATED ART 

The increasing use of remote access, that is the use of a computer or 
other device to communicate with a computer network from a location distant from 
the network, has enabled individuals who otherwise do not have authorized access 
to the computer network to none-the-less violate computer security from afar. The 

20 ability of computer hackers to infiltrate a computer network from a distant location 
can be a serious threat to a company's well-being. This threat is especially serious 
for companies which have an ever increasing reliance on a workforce who tele- 
commute to woric from home everyday. Thus knowing where an mdividual is 
vAien they attempt to gain entry to the computer network would be an hnportant 

25 aspect of computer security. 

Position detection for locating individuals, devices, and vehicles has 
been accomplished. For example, U.S. Patent No. 5,689,269, issued November 1 8, 
1997 to Norris, relates to an apparatus and method for determining the position of a 
first device relative to the position of a second device using the Global Positioning 

30 System (GPS). The first device, with a person or object to be located, transmits 
telemetry position data to the second device after first receiving a GPS signal and 
determining its own location using that GPS signal. The second device receives 
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the telemetry position data from the first device and calculates a relative distance 
between the two devices. The calculation performed by the second device is based 
on the telemetry position data received from the first device and knowledge about 
its own position determmed from GPS signals that it has previously received. The 

5 second device is also capable of determining direction and difference in elevation 
between the first and second devices. 

Further, U.S. Patent No. 5,550,551, issued August 27, 1996 to 
Alesio, relates to a position monitoring system and method particularly applicable 
to vehicle monitoring. When activated, a position detector mounted on the vehicle 

0 uses GPS signals to determine vehicle location information. On a pre-deteraiined 
basis, the position detector periodically updates thewKaeloMtiornffonm^ 
and transmits a location information signal based on the vehicle's location to a 
remote dispatch center. The dispatch center receives the transmitted location 
information signal from the position detector, determines the vehicle location, and 

1 5 relays that information to an appropriate law enforcement agency. 

Yet another example, U.S. Patent No. 5,389,934, issued February 
14, 1995 to Kass, relates to a portable system for locating a person, vehicle or 
object The system uses a GPS unit and a piece of cellular telephone equipment 
The system's locating function is first activated by receipt of a telephone call on 

20 the piece of cellular telephone equipment Upon this activation, the system then 
determines its own location via the GPS unit and responds to the call with a voice 
message stating its current location. The person, vehicle or object may then be 
retrieved. 

As can be seen, however, vMle the ability to accurately locate a 
25 person, device or vehicle exists, this ability has not been applied to help with 
computer security. As the threat of a breach of computer security fix)m afar stiU 
exists, and in fact seems to be increasing, there still remams a need for a method of 
enhancing computer security based on detection of location. 

30 SUMMARY OF THE INVENTION 

Accordingly, in response the present invention, as embodied and 
broadly described herein, provides a method of and apparatus for adding an 
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additional layer of security to the computer log-in process based on registration and 
detection of location. Thus, an individual who wishes to log-in to a computer 
system must not only be an authorized user of the system, but must also be 
attempting to log-in from a pre-iegistered and authorized location or zone. 

5 Proper location is checked through the use of a transmitting location 

device. When an individual who is an authorized user of a computer network 
desires to access that network fiom a location distant to the networic, a location 
device is activated. Once activated, the location device will transmit a location 
signal to the computer networic 

,Q An additional layer of security is thus added through the use of the 

traiisimtnH^lS^SnaevicerThiriraccompH 

in to the networic. Once the locating device has been activated and is transmitting a 
locating signal, the computer network will receive that locating signal and 
determine where the individual is as Uiey are attempting to log-m. The computer 

15 networic will then match that determined location against a Ust of pre-registered 
locations. If the individual is in fact located at a location that has been pre- 
registered, tiie computer networic will aUow access using both tiie location 
information and tiie standard security measures (e.g. ID and password). Thus not 
only must tiie person be an autiiorized user (which can be determined by tiie ID and 

20 passcode, inter alia), but tiie location must be a pre-autiiorized and pre-registered 
location. 

Further, ±e additional security may be added to tiie on-going 
session as well. As tiie individual is logged-on to tiie network, tiie network may 
reactivate tiie location device to periodically check tiie individual's location. 
25 Periodic updates allow tiie computer network to ensure tiiat tiie individual is still at 
and/or in tiie pre-registered location or zone, and tiiat a proper location signal is 
being received. 

The present invention, including its features and advantages, will 
become more apparent from tiie following detailed description witii reference to 
30 the accompanying drawings. 



SUBSirrOTE sheet (rule 26) 



WO99/50734 PCr/US99/05025 

4 

RRTFF DESCRIPTION OF THE DRAWINGS 

Figure 1 illustrates a flow chart of a method of enhancing computer 
security using a transmitting location device in which the location device transmits 
a location signal during an attempt to log-in to a secure computer netwoik, 
5 according to an embodiment of the present invention. 

Figure 2 illustrates a schematic of an apparatus by which 
transmission of the location signal from the location device to the computer 
network can be carried out, accoiding to an embodiment of the present invention. 

10 DETAILED DESCRIPTION 

— Figi5eriWd'2'shWalnethod-and-an-apparatus for adding-an 

additional layer of security to a computer log-in process based upon a pre- 
registration operation and a subsequent detection of a computer user's location. 
Thus the location from which the computer user attempts to log-in, and from which 

15 he or she continues to work, becomes an additional element by which computer 
security may be maintained. If the individual using the computer logs-in from a 
pre-registered location, and the central computer recognizes that location as an 
authorized location, log-in to the computer networic is permitted. However, if the 
identified location is determined not to be an authorized location, log-in is not 

20 permitted. Subsequent updates of the computer user's location can also be used to 
ensure that the user is stUl in the authorized location. Thus if the individual is 
subsequently determined to be outside of the pre-registered location, access to the 
computer network can be terminated. 

An individual who will have need of logging-in to a computer 

25 network from a location outside of the immediate area of the computer network 
wiU be required to pre-register the location (or locations) from which he or she 
shaU be logging-in. A central computer wiU then consider each pre-registered 
location as an authorized location for that individual. In essence, then, the location 
is keyed to that individual and is the only location from which the individual may 

30 log-in and continue to work. Approval of the location.by the central computer may 
be dependent upon any number of pre-set criteria. Further, ultimate approval may 
reside with the appropriate company personnel. It is to be understood, then, that 
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the location approval process may be established and administered in any manner 
which the company (and/or individuals) using the present invention approves. It is 
not to be limited to simply the embodunent herein described, and is only of 
importance in ensuring that the registered locations are in fact pre-approved. 

The actual locations being pre-registered by the computer user may 
be a single place or a broader area. For instance, an individual may want to pre- 
register his or her home, and may also want to pre-register the area which follows a 
route to and from work. Such a registration scheme thus allows the individual to 
woric from home and also to woric while en route to or from work. It is to be 
understood, of course, that the number of locations which each individual may be 
allowed to register can be pre-set. Fiifther, registsation ofplaces-or areas mayiw 
keyed to specific days or to specific times of the day. An individual may want to 
register his or her home only for authorized use during the weekends, when that 
individual knows he or she may need to work from home. The route to and from 
15 work may be registered for those times of the day which the user knows he or she 
is more likely to be commuting. Even fiirther, if the user knows that he or she wiU 
be traveling away on business, the user may pre-register the location to which he or 
she will be traveling, and may register for only those days on which he or she 
expects to actually be there. 
20 Detection of the individual's actual location when he or she 

attempts to log-in to a computer network is accomplished by activation and 
tracking of a locating device which the individual shall have with them. The 
individual may either be personally carrying the locating device, or it may be 
attached to, or an integral part of, the computer terminal (whether portable or fixed) 
25 fiom which the individual is logging-in. The locating device itself is a transmitting 
and receiving device capable of both sending and receiving a location signal. The 
transmission of the locating signal may, of course, be continuous or intermittent, 
and may be digital and/or analog in nature. 

Activation and initial tracking of the locating device is triggered by 
3t) the central computer of the network at the time of log-in. Further explanation of 
the activation and tracking sequence will be given below with reference to the 
drawings. 
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Referring to Figure 1, a central computer may have associated with 
it a networlc which from the central computer's perspective is co-located with that 
computer. In step 100 an individual who will have a need to log-in to the central 
computer from a site remote from or not co-located with the central conqjuter will 

5 pre-register one or more locations from which he or she will want to log-in. 

Registration of such log-in sites will preferably occur at the location of the central 
computer usmg a controller that interfaces with the central computer. 
Alternatively, such registration may be accomplished from a secure remote site. 
Once the sites for remote access have been input to the central computer, in stq» 

10 1 1 0 an approval process for each location input will be implemented. As stated 
above, there may bewious approval processes. Preferably someone having a 
position of authority and/or responsibility for overseeing computer security will 
give final approval for remote access sites. Further, each site may be designated as 
"dormant" until an attempt to log-in is made from that remote site. Once a log-in 

15 occurs from a site, the site's status may be changed to "active" and notification of 
the log-m and use of the site may be sent to the appropriate persons (i.e., persons in 
charge of computer security), and periiaps including the site's registrant Further, 
an "active" site which has not been used for a pre-set period of time may be 
changed back to a "dormant" state. Such classification of sites can be helpfiil m 

20 keeping track of which sites have and/or have not been used and may fiirther help 

to maintain security. 

Once a log-in location has been prc-registered and approved, an 
mdividual may access the central computer from that location by logging-in. In 
step 120 the individual seeking remote access to the central computer and network 

25 wiU log-in in the normally accepted feshion. For instance, the individual will 
establish contact with the central computer and can present his or her identifying 
code and password. It is to be understood, of course, that the present invention can 
be used with any type of log-in procedure, and is not limited to a log-in procedure 
which uses an identifier and passcode. Further, it should be noted that once a 

30 location is registered and approved, as in steps 1 00 and 1 1 0 explained above, the 
individual need not register that location each time he or she wishes to log-in from 
that location. On the contrary, the central computer can store the registered and 
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approved location for future use. In other words, steps 100 and 110 need not be 
repeated each time the method of the present invention is to be utilized. It may be, 
however, that re-registration of locations will be required on the basis of some pre- 
selected criteria, and thus steps 100 and 110 will need to be repeated. For instance, 

5 re-registration of a location may be required after a certain period of time has 
elapsed, after a certain number of log-ins &om that location have occurred, after a 
certain total number of system log-ins have occuned, or any other similar criterion. 

In step 1 30, once the central computer is contacted by an atten^rted 
log-in, the central computer will identify on the basis of at least one parameter who 

10 the individual attempting to log-in purports to be and will activate the location 

— device associated- with that-individual^n other-WGrds,-if-thexentral OT 

determines that the parameters of the identifier and password submitted in the log- 
in are associated with a computer user named "Tom", then the computer will 
activate the location device associated with "Tom" and which *Tom" carries 

15 around with him. It is to be understood, of course, that identification of the 
location device to be activated can be accomplished by any method and on the 
basis of any parameters which assure that the proper location device will be 
activated. For instance, parameters used in the log-in and subsequent activation 
may be on the basis of voice recognition, body heat signature, retinal scan, 

20 fingerprint scan, and/or visual observation, etc. 

Further, actual activation of the location device can be carried out 
by any method, as long as the locating device is functionally activated For 
instance, activation can be accomplished though radio signals, electrical signals, 
and/or infrared signals. Preferably the location device will be activated through a 

25 medium separate from that which the mdividual is using to log-in to the central 
computer. That is, for example, if the individual attempting to log-in is doing so 
over the Internet, the locating device can be activated through the use of satellite 
relays. 

Upon activation, in step 140, the locating device transmits a 
30 location signal. Transmission of the location signal can be by any medium which 
ensures that the location signal is received by the central computer. For example, 
the location signal can be transmitted via airwave and relayed by satellite, or 
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through land-line using the Internet as a relay. The location signal itself can be any 
type of signal which is capable of cairying the location data and of being 
transmitted and received. For instance the signal can be radio wave, infiared, or 
even microwave. Preferably the location signal is broadcast as a radio wave in 

5 either a digital or analog format. 

In step 150, the broadcast location signal is received by Ae central 
computer and a determination of the location of the locating device is made. In 
order to make die determination, the location signal may act as a homing beacon or 
may contain location data (coordinates). If die location signal acts as a homing 
10 beacon for tiie location of die location device, die central computer can determine 
die location of die locating deviceTIf diTlorating^ignal containsiocationTlata, 
diat is, die actual location (coordinates) of die locating device, dien die location 
device itself can determine its own location. Eidier way, position detection will 
need to be accomplished and it is acceptable diat any such position detection 
15 mediod or system be utilized. Preferably, die Global Positioning System is used. 

Upon a determination of the location of the locating device, in step 
160 die central computer decides if die locating device's location is at, or widiin a 
pre-determined proximity of, a pre-registered location. If die location is 
determined to be valid, log-in will be completed. If die location is not valid, log-in 
20 will be terminated. This decision step, dien. determines whedier access will be 
granted or denied. If die log-in is allowed to be completed, in step 170 die 
individual logging-in may dien access die data files of die central computer. If die 
log-in is not allowed, in step 180 die connection is terminated and die central 
computer can generate appropriate messages to die appropriate parties diat an 
25 unaudiorized log-in was attempted. 

In die case where die log-in is allowed because die locating device 
was determined to be at a pre-registered location, periodic updates of die location 
of die locating device may be accomplished. Tliis ensures diat die locating device 
stays with die individual who has logged-in, and can also act as a way of checking 
30 die original detemiination of die location of die locating device. Furdier, if any 
discrepancies occur in die subsequent updates, die central computer can terminate 
or restrict access. Lasdy. an initial log-in ftom an audiorized site can be used to 
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fine-tune the location's coordinates, if necessary, so that the system can be more 
accurate. 

It should be noted that the central computer may also at any time 
send a message to the individual identified in step 1 30 that he or she has been 

5 identified as attempting to log-in and/or has been granted access to log-in. Thus if 
the individual identified in step 130 is at a pre-registered location, but is in feet not 
logging-in to the central computer, that individual can notify the appropriate 
persomiel and access to the unauthorized individual m fact logging-in can be 
denied and/or tenninated. Messages may be sent in any fashion which wiU reach 

10 the authorized individual identified in step 130. For instance, a message may be 
sentviatel^hone, pager, priority e=mailretcr 

Referring to Figure 2, transmission of the location signal is shown. 
In this example, the central computer 1 communicates with remote computer 2 via 
communication medium 4, and with location device 3 via communication medium 

1 5 6. Thus, when an individual attempts to log-in to the central computer 1 using 
remote computer 2, the central computer 1 sends an activation signal by 
communication medium 6 to the location device 3. Communication medium 6 
uses satellite system 5 for relay of communication. In response, location device 3 
sends location signal 7 via communication medium 6 to central computer 1 . 

20 It should be noted that other information can be sent along with the 

location signal. For instance, information which might be sent might include a 
"time stamp". Such a "time stamp" could be utilized as an assurance that the 
location signal is being sent fi^m the location indicated by it The central 
computer could be synchronized to tiie GPS atomic clock and determinations of 
25 how long tiie location signal took to transmit could be made. Also, for instance, a 
passcode for die location device could be sent A separate passcode for tiie 
location device would ensure tiiat tiie proper location device was transmitting tiie 
location signal. 

Thus, as can be seen from tiie foregoing description, an additional 
30 layer of computer security can be added to present computer security systems 
through tiie use of tiie present invention. Fuitiier, implementation of tiie present 
invendon would require only nominal system adjustments. 
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In the foregoing description, the method and apparatus of the 
present invention have been described with reference to a specific example. It is to 
be understood and expected that variations in the principles of the method and 
apparatus herein disclosed may be made by one skilled in the art and it is intended 
that such modifications, changes, and substitutions are to be included within the 
scope of the present invention as set forth in the appended claims. The 
specification and the drawings are accordingly to be regarded in an illustrative 
rather than in a restrictive sense. 
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Claims; 

1 . A method for enhancing computer security using a location device, comprising 
the steps of: 

5 registering at least one remote log-in location for a computer 

networic; 

registering a log-in contact to the computer network; 

commanding activation of the location device upon establishment of 

the log-in contact; 
IQ receiving a location signal from the location device; 

' determiningTlocatioirof tHe^ 

received location signal; and 

determining whether the location of the location device is an 
authorized location with reference to the registered information that identifies the 
15 at least one authorized remote log-in location. 

2. The method accoiding to claim 1, further comprising the step of: 

approving the registration of the at least one remote log-in location. 

20 3. The method according to claim 1, further comprising the step of: 

identifying the location device to be activated upon at least one 
parameter contained in the log-in contact. 

4. The method according to claim 1, further comprising the step of: 

25 determining an update of the location of the location device. 

5. The method according to claim 1, further comprising the step of: 

sending a message to an mdividual to whom the location device is 
identified as belonging. 

30 

6. The method according to claim 1 , wherein activation of the location device is 
accomplished by radio wave. 
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7. The method according to claim 1, wherein the transmitted location signal may 
contain a plurality of data. 

5 8. The method according to claim 7, wherein the plurality of data are location 
coordinates derived from a Global Positioning System. 

9. The method according to claim 1, wherein the transmitted location signal 
contains a "time stamp". 

to 

10. The method accordinpoclainTlTwhefein access tonhe computer netw^ 

granted if the location of the location device matches the at least one remote 
registered log-in location. 

15 1 1 . The method according to claim 1, wherein access to the computer network is 
denied if the location of the location device does not match the at least one remote 
registered log-in location. 

12. A method for enhancing computer security using a location device, comprising 
20 the steps of: 

storing information identifying at least one authorized remote log-in 

location for log-in to a computer, 

establishing a log-in contact with the computer; 

activating transmission of a locating signal from the location device 

25 iqjon the log-in contact; 

determining a location of the location device on the basis of the 

locating signal; and 

determining whether the location of the locating device corresponds 

to the at least one remote log-in location. 

30 

13. The metfiod according to claim 12, fiirther comprising the step of: 
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securing authorization for the storing of the at least one remote log- 
in location. 

14. The method according to claim 12, further comprising the step of: 

identifying the location device from which the location signal is to 
5 be activated upon at least one parameter contained in the log-in contact 

15. The method according to claim 12, further comprising the step of: 

determining an update of the location of the location device. 



10 



16. The method accordmg to claim 12, further comprismg the step of: 
sendingTO-essagetowindividual-towhom-the-lo 

identified as belonging. 



17. The method according to claim 12, wherein activation of the location device is 
15 accomplished by radio wave. 

18. The method accordmg to claim 12, wherein the transmitted location signal 
may contain a plurality of data. 

20 19. The method according to claim 18, wherein the plurality of data are location 
coordinates derived from a Global Positioning System. 

20. The method according to claim 12, wherein the transmitted location signal 
contains a "time stamp". 



25 



30 



21 . The method according to claim 12, wherein computer access is granted if 
the location of the location device matches the at least one authorized remote log- 
in location. 

22. The method according to claim 12, wherein computer access is denied if the 
location of the location device does not match the at least one authorized remote 
log-in location. 
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23. A method for enhancing computer security using a location device, comprising 
the steps of: 

receiving a log-in contact; 
5 commanding activation ofthe location device upon receipt of the 

log-in contact; 

deteimining a location ofthe location device on the basis of a 

received location signal; and 

deteimming whether the location ofthe location device corresponds 

10 to an authorized remote log-in location. 

24. The method according to claun 23, further comprising the step of: 

storing information identifying at least one authorized remote log-in 
location for log-in to a computer. 

15 

25. The method according to claim 24, further comprising the step of: 

securing authorization for the storing of the at least one remote log- 
in location. 

20 26. The method according to claim 23. further comprising the step of: 

identifying the location device to be activated upon at least one 

parameter contained in the log-in contact 

27. The method accorfing to claim 23, further comprising the step of: 

25 determining an update of the location of the location device. 

28. The method according to claim 23, further comprising the step of: 

sending a message to an individual to whom the location device is 
identified as belonging. 

30 

29. The method according to claim 23, wherein activation of the location device is 
accomplished by radio wave. 
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30. The method according to claim 23, wherein the transmitted location signal 
may contain a plurality of data. 

3 1 . The method according to claim 30, wherein the plurality of data are location 
coordinates derived from a Global Positioning System. 

32. The method according to claun 23, wherein the transmitted location signal 
contains a "time stamp". 



33^ The method according to claim:237wherein computer^cess is^ramed if 

the location of the location device matches the authorized remote log-in location. 

34. The method according to claim 23, wherein computer access is denied if the 
15 location of the location device does not match the authorized remote log-in 

location. 

35. An apparatus for enhancing computer security using a location device, 

comprising: 
20 a central computer, 

means for receiving a location signal sent from the location device 
to the central computer, the location signal containing at least a location of the 
location device, 

wherein access of the central computer is determined on the basis of 
25 the location of the location device matching a pre-registered access location. 

36. The apparatus according to claim 35, further comprising: 

means for determining the location of the locating device. 

30 37. The apparatus according to claim 36, further comprising: 

a means for communicating between the central computer and a 

remote station. 
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38. An apparatus for enhancing computer security using a location device, 
comprising: 

a memory storing at least one authorized remote log-:in location 

information; 

a means for allowii^ a remote log-in contact; 

an activator activating transmission of a location signal from the 

location device; 

a receiver receiving the transmission of the location signal; 

a means for determining a location of the location device on the 
basisof the transmittedlocatioHrsipcal; 

a central computer which determines whether the location of the 
location device is an authorized location with reference to the stored at least on« 
authorized remote log-in location information. 
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